Overview

The CFAA was developed over time as a merger of ~7 different areas of law. It has developed in an aggregate way, and few groups are happy with the current law. It is so broad that prosecutors like it because they can use it to force plea bargains, since it applies to almost everything in its sphere of action (relying on prosecutorial judgement).

Different parts of the story: National defense, cyber war, data sec, corporate law, contracts online. Authorization based on code, contract, social norms. Legal frameworks used to push political means. Career standards for prosecutors defined in political ways.

Comparative Law

Details

Aspects of the search

"Advanced technical crime" -- The deployment of the SS was a bit peculiar; but they were the only fed. agents trained in what they were looking for.

Civil rights concerns

Part of the prosecution that was particularly troubling: at one point in the invest., it felt that they were keeping the prosecution going b/c they'd spent so much time bringing it along. There was no will from victims to keep it going, and not necc. any other desire, but the prosecutors for their own reason wanted conclusion.

Negative principles

Points of consensus

Based on conversations with folks at the Cambridge/Boston hack, these principles emerged as points of agreement. Other groups feel free to chime in as well.

Scope should be limited - the law should not run to the boundary of what we find ethical or moral. As with media law and "bad journalism", copyright and "plagiarism," the law should leave the edge cases for the community to set up a moral/normative/shame-oriented punishment scheme.

we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations.

focus on bad access, leave use to other laws - laws on copyright, trade secret, identity theft, espionage, extortion, and fraud govern most of the "scary" use cases.

Consent should always be a defense - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way.

Circumvention of a code-based authentication measure should be unlawful (leaving proportionality for another discussion). This includes cracking, password guessing, or human-engineering password disclosure.

'penetration testing is squishy - an open call for bug bounties should be treated like consent to at

Open questions

Feel free to suggest brief answers, pointers to where this is discussed.

Does 'authentication' make sense as the basis for such a law?

As opposed to other corollaries re: trespass and access. Compare historical ways of handling these issues.

Is feigning authentication fraud? (when simply making up a new account; impersonating yourself, and not someone else)

Where do the following edge cases fall?

'sockpuppeting' authentication where it's assumed you have one-account-per-user?

This is rarely prevented clearly.

Not the worst thing to do; it's not the same as impersonating a real person

Circumventing the auth process altogether?

This tends to be pretty bad. It's clearly defeating the system, when it requires finding a subtle exploit

Can be less bad when a system has an auth system but doesn't use it (e.g. it's never checked)